“You could have the hardest-to-guess password, salted and hashed thousands of times, and still be at risk.
That happened about a year ago at Dropbox, for instance, when the file-sharing site inadvertently removed its authentication validation altogether for a few hours. Anyone could use any password.
It’s happened again, this time with a more corporate angle.
Open source database giant MySQL (and its post-Oracle fork, MariaDB) contained a bug which meant that your password might be checked correctly only 255 out of every 256 times. One in 256 times, anything might get you in”